PCI DSS: What It Is, and How to Comply

September 18, 2019 at 8:00 am by Paul Falcone

In the digital age, enhanced debit and credit card functionality has led to an increase in frauds and scams. Given the sensitivity of the information attached to consumers’ payment cards, the critical need to ensure their security from the time of production through every swipe at a retailer or input on an e-commerce website became apparent.


What is PCI DSS?

Visa introduced the first set of credit card security standards—the Cardholder Information Security Program (CISP)—in October 1999, and gave merchants until May 2001 to comply. Other payment card companies would follow suit. These standards created major difficulties for merchants because compliance regulations were different for all major payment card companies, and total compliance was both expensive and laborious.

To combat the rising levels of fraud and create a universal set of security-compliance standards, the five major payment card brands — Visa, MasterCard, American Express, Discover, and JCB — formed the Payment Card Industry Security Standards Council (PCI SSC) in 2004 and released the first set of unified standards to protect vital consumer information: the Payment Card Industry Data Security Standard (PCI DSS). Since its inception, the PCI DSS has undergone nine updates, the latest being version 3.2.1, released in May 2018.

Under the agreement’s terms, all entities that take part in transmitting or storing cardholder information must be PCI DSS-compliant. In addition to merchants and retail outlets, such entities include e-commerce sites, software as a service (SaaS) providers involved in payment gateways, financial institutions, and security printers. These regulations are intended to ensure that organizational policies regarding data retention, data disposal, and data security are effectively implemented and enforced.

It is important to understand that, although PCI DSS is not a law, the penalties for noncompliance can be quite steep. The PCI SSC does not impose penalties directly. Instead, the council reports regulation infractions to the payment card brands. In turn, they penalize the offending merchant’s acquiring financial institution, which then penalizes the offending merchant.


Data Covered Under PCI DSS

There are two types of data that fall under PCI DSS regulations on data storage: cardholder data and sensitive authentication data.

Cardholder data includes primary account numbers (PANs), cardholder name, card service code, and card expiration date. This data can only be stored while a merchant is waiting for a transaction to be authorized. Anytime the PAN is mobile, it must be encrypted; otherwise, it must be truncated to be unreadable (typically, only the first or last four digits will show when the PAN is static). This data may only be retained for five years, and must be examined quarterly during that time frame to ensure correct storage procedures are followed.

Sensitive authentication data is not to be stored by merchants at any time. This includes track 1 & 2 data contained within the magnetic stripe on the back of the card, CVV2, CVC2, CID and CAV2 codes (card verification codes), and PIN numbers. The only exception is information needed to complete a transaction, such as a PIN number or card verification code. In those instances, such information must be completely disposed of upon transaction completion.

Financial Institutions & PCI DSS

To remain PCI DSS-compliant, financial institutions must follow a strict set of norms to ensure Personally Identifiable Information (PII) is not compromised, including the following:

• Regularly facilitating controlled attempted breaches of the network and cardholder data environment (CDE), along with any systems connected to it;
• Performing quarterly checks for both authorized and unauthorized wireless access points; and
• Conducting white- and-black-box penetration testing on network and application layers anytime significant changes have been made (or at least once per year).

If any of the tests identify issues, the institution should immediately fix the issues and retest until all issues are resolved.

In addition to regular and rigorous testing, financial institutions are responsible for PCI DSS-compliance enforcement for their acquired merchants. They determine how merchants must verify compliance, and they are responsible for rectifying situations when acquired merchants are deemed to be in violation. The resulting fines are levied by the payment card companies on the financial institution, which then trickles the fine down to the merchant in a variety of ways, including special fees, increased processing and transaction fees, and monthly fees. If issues are not resolved, the financial institution could terminate its relationship with the offending merchant, and the merchant could forfeit its authorization to accept payment cards altogether.

Since PCI DSS compliance starts at card production and ends at card destruction, financial institutions must also account for the card-creation process, by which they must verify that their security printing process or vendor is also PCI DSS-compliant.

Security Printing & PCI DSS

Regardless of whether the facilities manufacturing payment cards or any part of the payment cards are associated with the financial institutions issuing the cards, they are subject to further PCI DSS regulations for maintaining the security of PII. Since a breach at one of these facilities could have severe consequences, both the electronic functions and physical premises must be secure to comply with the PCI DSS.

PII must always be securely encrypted during storage and transmission. The only exception is during the PII customization phase. During this time, the data is not to be on any public-facing network or connected to the internet in any way. Immediately after the information is entered, the data must be encrypted again, which absolutely must occur before reconnection to a network or the internet.


Any vendor handling PII must restrict access to a list of designated individuals who are authorized to enter sensitive cardholder data or access the ability to encrypt or decrypt PII. The vendor must also have a stipulated policy regarding any removable media containing PII. This media must be clearly labeled, stored in a secure location within the facility, and tracked during all movement. An authorized individual must oversee this function, and that person must not have the ability to decrypt any of the data within. When it is possible to delete the data on removable media, the media must be destroyed.

A Chief Information Security Officer (CISO) must be designated to oversee the vendor’s information technology security as well as to report the status of compliance and potential threats to executive management on a monthly basis. This person must also not complete tasks or responsibilities which they approve.

The CISO is responsible for approving network and firewall configurations, which must be in compliance with the PCI DSS regulations. This includes the documented flow of cardholder information from input to destruction (e.g., the stipulation that the system housing the cardholder information must be separate from any other vendor or internet networks and not housed on the same server rack).

Any remote access is restricted to the administrator of the network or system components. Quarterly external vulnerability scans must be completed by a PCI SSC- approved scanning vendor, and internal and external penetration tests must be performed annually and subsequent to any major infrastructure change. Any keys to the premises and sensitive areas must be well logged and accessible only to the designated key holders.

The vendor is also responsible for restricting and securing physical access to the premises. All non-emergency portals must always be locked or electronically controlled, and access must be controlled by a device such as a card reader or biometric scanner. All entrances and exits may allow only one person to enter or exit at a time; in addition, they must be contact-alarm monitored and reinforced to meet local fire and safety regulations. All exterior walls are required to be masonry block or a material of comparable strength, and any windows or doors must be protected against intrusion.

Employee-identification badges/access cards must never contain any logo or company information identifiable by an outside party. Employee access must be restricted to areas necessary for completion of their job functions.

A designated room or building for monitoring a CCTV security system must not be viewable from external locations. Backups of security tapes must be produced daily and kept for a minimum of 90 days. Additionally, if DVR is used, it must be housed in a designated security-equipment room with access restricted to authorized personnel.

A High Security Area (HSA) is any area where payment cards, their components, and/or PII are stored. Production and provisioning tasks are the only activities allowed in an HSA. These areas must also be outfitted with internal motion detectors. Personal items and electronics are absolutely prohibited from these areas. The only personal effects that may be brought inside an HSA are medication and tissues (provided they can be examined through their container).

All processes related to payment card production must be outlined in detail and ensure a traceable trail of possession and production for all cards and card components. Inventory must be thoroughly managed and accounted for, and no unnecessary material may be opened at any time.

All tipping foil reels containing PII must be completely shredded in-house, with dual oversight in an HSA. This should happen at least once per week.

All materials used in the mailing, packaging, and delivery processes must be regulated and inventoried. Wasted mailers must also be logged, as well as mailers completed and transferred to a mailing area. Envelopes containing payment cards should be nondescript and bear no company logos or references. GPS tracking must be in place for the mailers, and vehicle drivers must not have keys that allow access to the mailers being transported. A direct communication channel between the security control room (where movement is also being monitored) and the vehicle must be maintained. Two people must be in the delivery vehicle.

PCI DSS Regulations Regarding Data Destruction

For both paper and electronic data, a comprehensive strategy detailing how to store the media, how long to store it, and how to dispose of it is required for PCI DSS compliance. It is further required that data be destroyed such that it cannot be recreated. The DIN (Deutsches Institut für Normung—German Institute for Standardization) developed internationally recognized standards for data destruction, as outlined in DIN Standard 66399, now globally standardized to ISO/IEC 21964. Security levels of destruction for each form of data are divided into seven categories, with 1 being the least secure and 7 being the most secure.

According to DIN Standard 66399 (ISO/IEC 21964), paper should be disposed of or shredded to a minimum security level of P-4. Particle size should be less than or equal to 160mm2, with a width no greater than 6mm2.

Paper shredded to a P4 particle size

In addition, hard drives should be disposed of at a security level of H-4 or greater. Maximum particle size should be 2000 mm2, rendering it impossible to reassemble the hard drive for data restoration, except by highly specialized machinery. If the hard drive is to be repurposed and retained, complete sanitation of the data to the point of no recovery must be verifiable.

Optical media, such as CDs or DVDs, should be reduced to a maximum particle size of 160mm2 (security level O-4, according to the DIN Standard 66399). Microfilm should be reduced to a level of F-4, or particles no larger than 2.5mm2. Electronic digital media devices, such as USB drives and memory cards, should be destroyed to a minimum level of E-4, which stipulates particles be no larger than 30mm2. Magnetic media, such as cassette tapes, floppy disks, or payment cards, should be destroyed to a minimum security level of T-4, according to DIN Standard 66399—meaning particles must be no larger than 160mm2.

A Quick Word About Metal Payment Cards

Destruction of payment cards is becoming more difficult with the recent release and surge in popularity of metal credit and debit cards. These cards function no differently than their plastic predecessors. They have only increased in number because they score “style points” with consumers. The only real difference is the virtual inability of consumers to shred metal payment cards. Rather than destroy the cards themselves, consumers must now arrange for the issuer to do so. Or use a disintegrator like the SEM Model DS-400 or 1012 Disintegrator.

Being PCI DSS compliant may not be a law, but it certainly is required for all merchants, financial institutions, and security printers. From creation to destruction, it is imperative that PII not be compromised at any point in the process. Be sure that any shredders you use destroy materials to the appropriate level so they cannot be reconstructed. Companies like SEM are very familiar with PCI DSS requirements and have the sophisticated shredding technology required for appropriate data destruction.

Credit Cards & Identity Theft: There’s More Exposure Than You Might Think

August 19, 2019 at 12:23 pm by Paul Falcone

Beyond convenience, credit cards can also provide the cardholder with the ability to build credit (which is necessary for major purchases like buying a home or car) as well as to earn rewards and cash back. However, credit cards can also pose a major threat for identity theft, and likely in more ways than most realize.

Credit Cards & PII

Do you have a credit card? If so, take it out and look at it for a moment. From a glance, there’s a host of obvious Personally Identifiable Information (PII) that’s printed right on it—your name as well as the primary account numbers (PAN), which include the card number, CVV code and expiration date. This PII is certainly sensitive data and in the wrong hands could be used for credit fraud and identity theft.

However, there is also PII contained on your card where you might not think of it. For instance, PII data such as card holder name, service code, expiration date, CVV code and PIN numbers are also stored in the magnetic stripe of the card. Another unseen piece of technology within your credit card that holds the same PII data is an RFID chip. The only way to tell if your card has an RFID chip is if it has the words “Blink,” “PayPass,” or “PayWave” on it, or else a symbol that looks like a Wi-Fi signal turned 90 degrees clockwise.

RFID chips provide further cardholder convenience by allowing payment to occur simply by tapping the card on a pad near the terminal instead of inserting the card into a reader. Even though security codes for your RFID chip are generated every time you use it, it only takes one time for a criminal with the right equipment to intercept your RFID chip communication as you perform a payment transaction and steal all of this sensitive information. (Although the RFID signal is very weak and can only be read from a short distance of a few inches.)

And, even though your credit documentation is likely kept at home or in a credit app, there’s still the threat of theft from the paper trail or digital-document trail of PII connected to the credit card. This includes statements, bills and other communication mailed or digitally transmitted to the cardholder.

Issuers, Printers & PII

You don’t just get a credit card out of thin air. There are other players involved who will also have access to your PII for the application of the credit line as well as the creation of the credit card itself. Obviously, the financial institution and/or lender company that issued the line of credit and therefore the credit card to the cardholder also has full matching records (stored via print and/or digital media) of the cardholder’s PII to authorize and process card transactions.

What is often overlooked is the generator of the credit card, the security printer company that the financial institution and/or lender works with to create the cards. A printing plate unique to the cardholder is used to create the design, lettering and even some security features that are printed onto the card. This means the printing plate contains a copy of your PII. And the tipping foil that’s used to personalize cards can also have PAN left on the foil after it’s been used.

Proper Destruction of Credit Cards & PII Contained

It goes without saying that consumers must properly shred their expired credit cards and shred, pulverize or incinerate all paper documentation related to that credit card that contains PII. If the documentation is stored digitally, the data and the device need to be properly destroyed via software or hardware to clear the data and by overwriting non-sensitive information, or by degaussing the media and rendering the magnetic field permanently unusable, and by destroying the media by shredding, melting, pulverization, disintegration or incineration.

SEM EMP1000-HS Degausser

For a shredder data destruction machine, consumers should follow DIN Standard 66399, at a minimal Level P-5 for the end-of-life destruction of the credit card and ensuing paper documentation. Shredding at P-5 standards ensures the final particle size has a maximum cross-cut surface area of 30mm2 with a maximum strip width of 2mm, or 2x15mm. Shredded data at this size is unlikely to be reproduced even with special equipment.

The financial institution and/or lending institution should practice the same proper end-of-life destruction with their paper and/or digital record trail of the account information containing the consumer’s PII. The financial or lending institution should also ensure that their security printers practice the same standards for the end-of-life destruction of the printing plates and tipping foil used to create the consumer’s card. For these organizations, it’s recommended that they follow DIN Standard 66399 Level P-5, whether it’s for paper or digital media that stores the PII attached to the card and line of credit.

PII Theft Prevention: Complying with Intergraf

In addition to practicing proper data and device destruction when the printing plate and tipping foil reach end-of-life, the security printer should take preventive steps in the creation of the cards and the materials used. One such way to do so is for the security printer to use only printing machinery that’s Intergraf-certified.

Intergraf is a European-based federation for print and digital communication which works to ensure security of the sensitive data stored within those mediums as they’re created. An Intergraf-certified security printer machine provides: a clear structure of requirements and responsibilities, trusted security for printers and suppliers, recognizable reference for governments and industries, prevention of forgery and counterfeiting, maximum security from development to deployment and increased customer confidence and satisfaction.

Intergraf has developed an international standard for security printers and suppliers (.e.g CWA 14641, CWA 15374 and ISO 14298) that also help to direct how these organizations should destroy the printing plates and tipping foil to render them unusable and irrecoverable. For instance, Intergraf stipulates that the destruction standard for printing plates is DIN 66399 P-1, which renders the particle size to a maximum surface area of 2,000mm2, or 12mm strips.

Finding the Right Data Destruction Machine

SEM has both high-volume and high-security shredders that meet the DIN 66399 standards. It’s important to note, too, that SEM recommends on both consumer and commercial level that the machinery is purchased or leased and kept on-site with the consumer or organization. This ensures contact with the sensitive data is limited to only those authorized to receive it.

Data Security Regulation Compliance: Challenges and Solutions

July 1, 2019 at 8:28 pm by Paul Falcone

GDPR. GLBA. FACTA. These are just a few of the recent onslaught of acronyms that have risen to govern federal and state privacy and data security regulations for businesses and organizations. Some are truly new, while others have been established for quite some time and are just getting more attention now. Indeed, consumer privacy laws and protocols have been the focus of society’s conversation at large for the last two years. And, this global conversation is only just getting started.

If you’re just joining in on the discussion, or even if you’re not and you want a quick refresher, continue reading for a quick overview of the most important national and international data security regulations currently in effect.

The Top 8 Data Security Regulations

HIPAA Privacy & Security Rules

Providers, professionals, and clearinghouses (hereto referred as covered entities) in the healthcare industry that are covered under HIPAA must also adhere to specific security regulations for all Protected Health Information (PHI) that the organization collects.

The HIPAA Privacy Rule requires the covered entity to implement appropriate physical (e.g., facility access and control; workstation and device security), technical (e.g., access control; audit controls; integrity controls; transmission security), and administrative (e.g., security management process; security personnel; information access management; workforce training; policy and procedure evaluation) safeguards for PHI to avoid prohibited as well as incidental use and disclosure of the PHI data. See 45 CFR 164.530(c). In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of electronic PHI (ePHI). As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).These rules hold especially true with the disposal of PHI and requires the covered entity to not only destroy the ePHI and the hardware or electronic media on which it is stored, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse. Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination, or even harm to the individual’s reputation. Moreover, the covered entity can face serious penalties for noncompliance.


The Fair and Accurate Credit Transactions Act (FACTA) is an addendum to the Fair Credit Reporting Act (FCRA) and covers creditors, accountants, lawyers, financial institutions, and other organizations dealing with consumer credit information. FACTA limits how consumer information can be shared as well as controls how this private data is disposed of, to ensure protection of the individual to whom the information pertains from identity theft.

When it comes to the proper disposal of consumer information, FACTA stipulates that reasonable measures must be taken by the organization to prevent the theft or otherwise unauthorized access and use of the protected data. The Rule mandates said data be destroyed by the pulverization, shredding, or burning of all papers in which the consumer information is printed, rendering the information unreadable and otherwise unable to be reconstructed in any manner. FACTA disposal policies also extend to the electronic media housing the protected consumer information.

Organizations under FACTA may also need to incorporate their data disposal policies into the organization’s security information program as required by the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”) and for persons subject to the Gramm-Leach-Bliley Act.


The Gramm-Leach-Bliley Act (GLBA) of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice, and insurance must have safeguards to protect their customers’ sensitive data and must also disclose in full their information-sharing practices and data security policies to their customers.

Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers, and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. Because these organizations are significantly involved in providing financial products and services, they therefore have access to personally identifiable and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers, and income and credit histories.

GLBA-covered organizations must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a group of personnel to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.


To ensure the protection of proprietary United States data within government agencies and affiliated organizations, legislation to regulate proper data and information security management was passed as part of the Electronic Government Act of 2002. Called the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all US government agencies, government contractors, and any organization that exchanges data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting, and implementing an information security program.

In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement, and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.

The purpose of FISMA is to protect government information, assets, and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors, and even data clearinghouses fall under FISMA regulations.

Failure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for the organization and an IT budget cut, as well as significant administrative ramifications to the organization. However, failure to comply with FISMA, especially when it comes to breach-avoidance and proper data destruction, can have much grander and more catastrophic implications. Should any private, secured federal data be compromised and the organization was found to be noncompliant, there are serious civil and criminal federal consequences.


While a security regulation of the EU, the General Data Protection Regulation (GDPR) of 2016 is applicable to those US-based organizations that do business internationally. GDPR effectively puts the customer first over the business, ruling that all private data is owned by the customer and not the business in which it was collected.

GDPR ensures the protection and privacy of consumer data as it is handled, stored, disclosed, and disposed of by the organization that holds it. Following GDPR requires obtaining consumer consent before collecting any data, providing consumers with a full report on what data has been collected and how it’s used if they request it, as well as a copy of the data itself and the immediate and proper destruction of data if the consumer requests it to be deleted. The organization must also have proper security controls in place for the safeguarding of consumer data and must place someone within the company to oversee and manage these compliance policies, including for data disposal.


An organization under GDPR that is found to be noncompliant is subject to a fine equaling two to four percent of its global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million).


The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy law for the handling of personal information by all federally regulated organizations as well as private-sector commercial organizations, regardless of the industry.

Like GDPR, organizations covered by this law must first obtain a consumer’s permission and consent before collecting, using, disclosing, and/or storing any personally identifiable information (PII). In addition, PIPEDA mandates that the information obtained can only be used for the purpose in which it was originally collected or else the organization needs to obtain renewed consent by the consumer for the use change. Moreover, consumers have the right to access their stored personal information as well as the right to challenge its accuracy. (The only organizations exempt from PIPEDA are those that are already subject to the similar privacy laws for private-sector organizations within Alberta, British Columbia, and Quebec provinces.) Canadian-based organizations that handle PII crossing provincial or national borders are also subject to PIPEDA compliance.


Aptly referred to as the “Corporate and Auditing Accountability and Responsibility Act” or the “Public Company Accounting Reform and Investor Protection Act,” the Sarbanes-Oxley (SOX) Act of 2002 addresses the standards by which the management and board of directors of any US-domestic public company handle the financial information and financial reporting of the organization. The SOX Act also extends to public accounting firms as well as to other companies that do business with publicly traded companies, even if said company is not a publicly traded entity.

The SOX Act is made up of two main clauses. According to Section 404 under the Management Assessment of Internal Controls, Clause A requires these publicly traded companies to create a commission on behalf of the company that develops and enforces rules for maintaining an internal control report for each annual financial report by section 13(a) or 15(d) of the Securities
Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)). This internal control report must include information and policies on how management establishes and maintains an adequate structure for internal control as it pertains to the financial reporting of the company. Clause A also requires the commission to write up an annual report on the effectiveness of the internal control policies and financial reporting procedures at the end of each fiscal year.

Clause B expands on the regulations for the internal control evaluation and reporting, adding in required responsibility of the commission or registered public accounting firm issuing the audit report to accurately prepare the audit as stated in Clause A. That is, said commission or public accounting firm is also held liable to the reported information claimed about the management of the stated financial information in the internal control report.

Maintaining compliance with the SOX Act therefore means ensuring all financial information and reporting that pertains to the organization is kept secure and protected from unauthorized personnel and possible theft.


The Payment Card Industry (PCI) Data Security Standard (DSS) protects consumer cardholder data by helping to alleviate the vulnerabilities experienced by credit card merchants for payment card transactions and processing systems.

Following common sense, PCI DSS mandates the credit processing merchant organization adhere to the following three steps: 1) Assessment, as in analyzing the IT assets and payment card processing protocols for the organization to identify any vulnerabilities with regard to the storage of cardholder data; 2) Remediation, as in the fixing of all identified vulnerabilities, and also applicable to ensuring cardholder data is not stored unless it is needed by the business; and 3) Reporting, as in the compilation of records to ensure validity of any remediation actions and the submission of all compliance reports to the bank and card brands with whom the organization does business. Finally, these DSS rules apply to all entities globally that store, process, and/or transmit cardholder data, and with guidance for software developers and manufacturers of applications and devices used in those transactions.

A Standard for Compliance

Depending on the type of business you manage or own, your organization may be subject to one or more of these data and privacy security laws. Rather than create varied sets of rules and policies for each, which could cause issues in overhead and personnel costs, not to mention unnecessary protocol confusion and training needs, it would behoove your business to develop one data security protocol to cover all applicable regulations.

Data Disposal Best Practices

This one-size-fits-all mindset is especially cost-effective when it comes to the data destruction policies under the various laws and regulations.

No matter which regulation your organization follows, it’s recommended that you first create a private space within your organization to house a data and/or drive destruction machine rather than work off-site with a third party at their establishment. You should also create a limited group of personnel with the sole authorization to oversee all data security compliance processes as it pertains to the destruction of data that’s reached end-of-life.

Furthermore, when it comes to the end-of-life cycle, both data and the device in which the data is housed must be destroyed via shredding, degaussing, disintegrating, incinerating, melting, or pulverizing machinery so that neither device nor data can be read or otherwise reconstructed. It may also behoove your organization to keep a record audit of all data destruction events to prove your company’s compliance if a breach at this level does occur.

To ensure these procedures remain as cost-effective as possible, you’ll want to choose a third-party vendor like SEM that has both documentation software, like the iWitness, as well as NIST- and NSA-approved data destruction machinery to purchase and keep at your organization.

Destroying Metal Credit Cards – What’s the Difference?

March 8, 2019 at 6:40 pm by Paul Falcone

Destroying Metal Credit Cards – What’s the Difference?

Metal credit cards are becoming more and more common in today’s high tech environment. Originally reserved for the well-off, these flashy cards have become almost commonplace. Although they often offer the same functionality and benefits as their plastic counterparts, they all come with what’s called the “plunk factor”. Their heavier, sleek design and luxurious feel get you noticed when you plunk them down to pick up the check. However, this plunk factor gives the cards an added density and thickness that means they sometimes need to be destroyed differently than their plastic counterparts.


More Durable. More Information.

Increases in cybersecurity awareness and data breaches have led to a greater demand for better and more secure solutions to control credit information. The need to be able to destroy these heavier more durable cards has become more important than ever, with customers and companies alike looking for the safest and securest way to do so.

Metal cards today can be produced with brass, copper, stainless steel, and even composite mixes of metal and plastic. While data used to just be stored on the print and magnetic strip on a credit card, the push for more security has seen most major card producers add a chip that also stores sensitive information. So we have more durable cards with even more areas with sensitive data on it – data and information that can still be accessed even with the card has expired.

How to Destroy: Shred or Disintegrate?

When it comes time to dispose of metal credit cards either due to expiration or possible fraud, credit card issuers will offer to send customers a pre-paid envelope to send cards back for destruction. Once returned, the credit card company is responsible for recycling or destroying the cards. The PCI Security Standards Council guideline for destruction is to destroy credit cards by “shredding or grinding such that the resulting material cannot be reconstructed”.

One method of destruction is with a heavy duty shredder capable of accepting different types of media including paper, CDs, credit cards, staples, and paper clips. The SEM model F65 cross-cut shredder with a capacity of up to 65 sheets per pass can be used for light volume of metal credit card shredding. It can effectively shred these cards into strips similar to shredded paper strips. Once shredded, there is little chance any of the information on the card can be accessed.


Another method of destruction for metal credit cards is with a disintegrator.  These machines use rotary knife mill technology to destroy a variety of bulk material.  A disintegrator can shred larger volumes of metal cards at higher capacities and can also be customized to shred to a specific particle size.  Available with larger horsepower motors and customizable particle sizing screens, disintegrators like the SEM Model 1012 are designed to be used in multiple applications where secure destruction at higher capacities is needed.   Disintegrators offer greater assurance that the data bearing elements (magnetic strips and chips) are destroyed so that the information stored on them is no longer accessible.

Deciding between a shredder or a disintegrator can seem challenging.  The proper solution should be based on the needs of the application.  Material being destroyed, desired volume and throughput, particle size, and power requirements are all important factors to consider when selecting a destruction device. SEM has experience working with several different credit card manufacturers and various credit card types. If you would like to send us samples of the cards you need destroyed or want to visit us in person to view our capabilities, SEM is here to work with you to ensure your needs are met.

How to Maintain Data Security in the Secure Printing Industry

February 25, 2019 at 2:12 pm by Paul Falcone

Let’s Get Personal.

When you work in the secure printing industry, you’re working with Personal Identifiable information (PII) every day. Regulations like the Fair and Accurate Credit Transaction Act (FACTA), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and Intergraf have changed the way that we handle and process paper, credit cards, printing plates, and more. So, with all these rules and regulations, are you taking every step necessary when these prints reach the end of their life and need to be securely destroyed?

The Risks:

You may feel that your company or organization is doing a good job destroying data because you’ve been breech-free and have had no major security problems. But in private data and security, threats are constantly evolving, changing, and adapting to the systems that are in place. If you end up being the victim of a breach and word gets out, the following can happen:

– Loss of customers/clients and confidence in your business
– Fraud losses, legal costs, and fines/penalties
– Ultimately lose jobs and go out of business

In fact, studies show that over 60 percent of small businesses that experience a breach never recover and end up going out of business within one year. To avoid this, you need to have a preemptive plan of how to destroy sensitive data correctly and efficiently.

Destruction Guidelines: What Do I Do?


A high quality data destruction shredder can be used to shred all documents that contain any PII. According to FACTA, a shredder needs to make paper unreadable and unable to be recovered. For print, this includes shredding, pulverization, and burning. The NSA standard for print to be unrecoverable is a 1mm by 5mm particle size. A machine like the 244/4 High Security Paper Shredder would do the trick.

In Europe, GDPR not only pushes for just the secure destruction of PII. According to Article 17, the “Right to Erasure”, any consumer can request to have all their personal information wiped from a company at any given time. If a consumer makes the request, the company has 30 days to comply to remove all sensitive information they have on the individual. GDPR standard for paper destruction is a 10mm particle size. This Unclassified shredder list will meet the standard set forth by the GDPR while allowing you to choose a model that fits your workload.

Credit Cards:


When creating a new credit card data, PII can be left behind before the card is even shipped out. Within the process of printing information on a new card, a printing plate is used to create the lettering, design, and some of the security features on the card. In the same manner, tipping foil that is used to personalize cards can have the numbers from the card left in the foil after use.

To be properly secured and maintain client security, all parts of the process must be properly destroyed, including the credit cards themselves. Intergraf, the European federation for print and digital communication, is a rising standard that is quickly becoming adopted in the secure printing industry. The most security-focused printers are choosing to become Intergraf certified, as more and more clients begin to request that their information is properly handled and destroyed. The standard for printing plates is DIN 66399 P-1, while for credit cards the standard is a minimum of P-5.

Credit cards shredded to the DIN 66399 P-5 standard.

When you have a large load of cards to destroy, a machine like the 0201 OMD Optical Media Destroyer would be more than enough to securely destroy cards to a size no one could recover. If you need to destroy credit cards, tipping foil, and printing plates, we recommend using a machine like the 1012/5, which not only destroys all the materials listed, but also runs free of oil.

While the world around us likes to say that print is going away, the reality is that it’s not. The steps that you take today to prepare for the destruction of PII could not only save you money, but your entire job and company as a whole. Keep up to date with the latest standards and use high quality shredders to ensure that you maintain data securely and professionally for you and your clients.